未知列“xyz”在“where 子句”中

发布于 2024-09-15 16:00:11 字数 477 浏览 9 评论 0原文

我创建了一个不起作用的用户定义的 sql 查询。用户应该能够在输入字段中输入搜索字符串,提交,然后查看搜索结果,但是每次我输入搜索我知道数据库中的内容时,我都会在“where 子句”中得到未知的列“x” “ 错误信息。

你能帮我解决这个问题吗?这是我到目前为止为它编写的代码......

...
mysql_select_db("mydb", $c);
$search = $_POST['search'];

$rslt = mysql_query("SELECT * FROM mytable
WHERE 'mycolumn' RLIKE $search");

while($row = mysql_fetch_array($rslt))
  {
  echo $row['myrow'];
  echo "<br />";
  }

if (!$row)
  {
  die('uh oh: ' . mysql_error());
  }

?>

I created a user defined sql query that doesn't work. Users are supposed to be able to enter search strings in an input field, submit then see the results of their search but everytime I enter a search for something that I know is in the database I get the unknown column "x" in "where clause" error message.

Would you please help me fix the problem? Here's the code that i wrote for it so far...

...
mysql_select_db("mydb", $c);
$search = $_POST['search'];

$rslt = mysql_query("SELECT * FROM mytable
WHERE 'mycolumn' RLIKE $search");

while($row = mysql_fetch_array($rslt))
  {
  echo $row['myrow'];
  echo "<br />";
  }

if (!$row)
  {
  die('uh oh: ' . mysql_error());
  }

?>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

蓝颜夕 2024-09-22 16:00:11

将代码更改为:
1) 将引号转换为列名称周围的反引号。
2) 将 $search 用单引号括起来,使其成为字符串。

 $rslt = mysql_query("SELECT * FROM mytable WHERE `mycolumn` RLIKE '{$search}'");

Change the code to this:
1) Convert quotes to backticks around column name.
2) Surround $search with single qoutes to make it a string.

 $rslt = mysql_query("SELECT * FROM mytable WHERE `mycolumn` RLIKE '{$search}'");
我还不会笑 2024-09-22 16:00:11

这肯定有帮助
只需将变量 $search 更改为字符串即可读取,即 $search
所以会是这样的

$rslt = mysql_query("SELECT * FROM mytable WHERE mycolumn RLIKE '$search'");

This helps for sure
just change the variable $search to be read as a string i.e $search
so it will be like this

$rslt = mysql_query("SELECT * FROM mytable WHERE mycolumn RLIKE '$search'");
缪败 2024-09-22 16:00:11

我想补充一些有关安全性和性能的内容。

将用户输入(任何 GET、POST 或 cookie 数据)直接放入 SQL 查询中是不安全的。这是一个严重的安全问题,称为 SQL 注入。为了避免这种情况,请使用 mysql_real_escape_string() 函数。

另外,SELECT * FROM mytable ... 也不是一个好的做法。建议明确列出所需的所有列,即使它们都是:

SELECT col1, col2, col3, col4, col5 FROM mytable ...

I would like to add a few about security and performance.

It is unsafe to put user input (any GET, POST or cookie data) directly into the SQL query. This is a serious security issue called SQL injection. To avoid it, use mysql_real_escape_string() function.

Also, SELECT * FROM mytable ... is not a good practice. It is recommended to explicitly list all the columns needed even if they all are:

SELECT col1, col2, col3, col4, col5 FROM mytable ...
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文